Difference between pages "Java" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(IDX file format)
 
(HackingTeam)
 
Line 1: Line 1:
{{Expand}}
+
'''Malware''' is a short version of '''Malicious Software'''.
  
== Java WebStart Cache ==
+
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
As of Java version 6 the Java WebStart Cache can be found in the following locations.
+
  
On Linux
+
== Virus ==
<pre>
+
A computer program that can automatically copy itself and infect a computer.
/home/$USER/.java/deployment/cache/
+
</pre>
+
  
On MacOS-X
+
== Worm ==
<pre>
+
A self-replicating computer program that can automatically infect computers on a network.
/Users/$USER/Library/Caches/Java/cache/
+
</pre>
+
  
On Windows XP
+
== Trojan horse ==
<pre>
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\
+
</pre>
+
  
On Windows Vista and later
+
== Spyware ==
<pre>
+
A computer program that can automatically intercept or take partial control over the user's interaction.
C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\
+
</pre>
+
  
== IDX file format ==
+
== Exploit Kit ==
Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systems.  As such, the following information should not be considered to have been exhaustively researched.
+
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
  
Values are in big-endian.
+
=== Drive-by-download ===
 +
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
  
<pre>
+
== Rootkit ==
00000000  01 00 00 00 02 5b 00 00  00 00 1d c7 b4 00 00 01  |.....[..........|
+
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
00000010  1f 81 29 fe b8 00 00 00  00 00 00 00 00 00 00 01  |..).............|
+
00000020  2b 24 4a cb dd 01 00 00  00 00 00 00 00 00 00 00  |+$J.............|
+
00000030  00 00 00 00 00 00 00 00  01 2b 24 4a a4 cd 00 00  |.........+$J....|
+
00000040  01 2e 45 83 f4 18 00 00  00 00 00 00 00 00 00 01  |..E.............|
+
00000050  01 00 00 00 00 00 00 00  00 00 00 00 01 2b 24 4a  |.............+$J|
+
00000060  a4 cd 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
</pre>
+
  
The header (or section 1) is 128 bytes in size and contains:
+
== See Also ==
{| class="wikitable"
+
* [[Malware analysis]]
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 1
+
|
+
| Busy (flag byte)
+
|-
+
| 1
+
| 1
+
|
+
| Incomplete (flag byte)
+
|-
+
| 2
+
| 4
+
| 00 00 02 5b (603)
+
| Format version
+
|-
+
| 6
+
| 1
+
|
+
| Force update (flag byte)
+
|-
+
| 7
+
| 1
+
|
+
| No-href (flag byte)
+
|-
+
| 8
+
| 1
+
|
+
| Is shortcut image (flag byte)
+
|-
+
| 9
+
| 4
+
|
+
| Content-Length
+
|-
+
| 13
+
| 8
+
| 00 00 01 1f 81 29 fe b8
+
| Last modification date (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 21
+
| 8
+
|
+
| expiration date (Number of milli seconds since Jan 1, 1970 00:00:00) 0 if not expires?
+
|-
+
| 29
+
| 8
+
| 00 00 01 2b 24 4a cb dd
+
| Validation timestamp (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 37
+
| 1
+
|
+
| Known to be signed (flag byte)
+
|-
+
| 38
+
| 4
+
|
+
| Size of section 2
+
|-
+
| 42
+
| 4
+
|
+
| Size of section 3
+
|-
+
| 46
+
| 4
+
|
+
| Size of section 4
+
|-
+
| 50
+
| 4
+
|
+
| Size of section 5
+
|-
+
| 54
+
| 8
+
| 00 00 01 2b 24 4a a4 cd
+
| Blacklist validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 62
+
| 8
+
| 00 00 01 2e 45 83 f4 18
+
| Certificate expiration date (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 70
+
| 1
+
|
+
| Class verification status
+
|-
+
| 71
+
| 4
+
|
+
| Reduced manifest size
+
|-
+
| 75
+
| 4
+
|
+
| section4Pre15Length?
+
|-
+
| 79
+
| 1
+
|
+
| Has only signed entries (flag byte)
+
|-
+
| 80
+
| 1
+
|
+
| Has single code source (flag byte)
+
|-
+
| 81
+
| 4
+
|
+
| section4CertsLength?
+
|-
+
| 85
+
| 4
+
|
+
| section4SignersLength?
+
|-
+
| 89
+
| 1
+
|
+
| Has missing signed entries (flag byte)
+
|-
+
| 90
+
| 8
+
| 00 00 01 2b 24 4a a4 cd
+
| Trusted libraries validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 98
+
| 4
+
|
+
| reducedManifest2Length?
+
|-
+
| 102
+
| 26
+
|
+
| Unknown, empty values (likely reserved for future expansion of the header)
+
|}
+
  
The values present in the header are dependent on the version. The definition above is based on version 603 an intended as an example check the [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification] for more actual information.
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
To convert a timestamp in e.g. Python
+
=== Analysis ===
<pre>
+
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
print datetime.datetime(1970, 1, 1) + datetime.timedelta(milliseconds=0x011f8129feb8)
+
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
2009-02-16 22:17:07
+
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
</pre>
+
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
  
<pre>
+
=== Exploit Kit ===
00000080  00 00 00 39 68 74 74 70  3a 2f 2f 77 77 77 2e 74  |...9http://www.t|
+
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
00000090  6f 70 63 6f 64 65 72 2e  63 6f 6d 2f 63 6f 6e 74  |opcoder.com/cont|
+
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
000000a0  65 73 74 2f 63 6c 61 73  73 65 73 2f 43 6f 6e 74  |est/classes/Cont|
+
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
000000b0  65 73 74 41 70 70 6c 65  74 2e 6a 61 72          |estApplet.jar  |
+
</pre>
+
  
{| class="wikitable"
+
=== Rootkit ===
! align="left"| Offset
+
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
! Size
+
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
! Value
+
! Description
+
|-
+
| 128
+
| 2
+
| 00 00
+
| Version string size
+
|-
+
| 130
+
| 2
+
| 00 39
+
| Original URL string size
+
|-
+
| 132
+
| size
+
|
+
| Original URL string (UTF-8 without an end-of-string character?)
+
|}
+
  
<pre>
+
=== HackingTeam ===
000000b0                                          00 00 00  |            ...|
+
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
000000c0  0c 36 36 2e 33 37 2e 32  31 30 2e 38 36 00 00 00  |.66.37.210.86  |
+
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
</pre>
+
* [http://reverse.put.as/2014/06/26/shakacon-6-presentation-fuck-you-hacking-team-from-portugal-with-love/ Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love], by fG!, June 26 2014
 
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| ...
+
| 2
+
| 00 00
+
| Namespace string size
+
|-
+
| ...
+
| 2
+
| 00 0c
+
| IP string size
+
|-
+
| ...
+
| size
+
|
+
| IP string (UTF-8 without an end-of-string character?)
+
|}
+
 
+
<pre>
+
000000c0                                          00 00 00  |            ...|
+
000000d0  07 00 06 3c 6e 75 6c 6c  3e 00 0f 48 54 54 50 2f  |...<null>..HTTP/|
+
000000e0  31 2e 31 20 32 30 30 20  4f 4b 00 0e 63 6f 6e 74  |1.1 200 OK..cont|
+
000000f0  65 6e 74 2d 6c 65 6e 67  74 68 00 07 31 39 35 31  |ent-length..1951|
+
00000100  36 36 38 00 0d 6c 61 73  74 2d 6d 6f 64 69 66 69  |668..last-modifi|
+
00000110  65 64 00 1d 4d 6f 6e 2c  20 31 36 20 46 65 62 20  |ed..Mon, 16 Feb |
+
00000120  32 30 30 39 20 32 32 3a  31 37 3a 30 37 20 47 4d  |2009 22:17:07 GM|
+
00000130  54 00 0c 63 6f 6e 74 65  6e 74 2d 74 79 70 65 00  |T..content-type.|
+
00000140  18 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 61 76  |.application/jav|
+
00000150  61 2d 61 72 63 68 69 76  65 00 04 64 61 74 65 00  |a-archive..date.|
+
00000160  1d 53 61 74 2c 20 31 38  20 53 65 70 20 32 30 31  |.Sat, 18 Sep 201|
+
00000170  30 20 31 30 3a 30 31 3a  30 36 20 47 4d 54 00 06 |0 10:01:06 GMT..|
+
00000180  73 65 72 76 65 72 00 06  41 70 61 63 68 65 00 1b  |server..Apache..|
+
00000190  64 65 70 6c 6f 79 2d 72  65 71 75 65 73 74 2d 63  |deploy-request-c|
+
000001a0  6f 6e 74 65 6e 74 2d 74  79 70 65 00 1a 61 70 70  |ontent-type..app|
+
000001b0  6c 69 63 61 74 69 6f 6e  2f 78 2d 6a 61 76 61 2d  |lication/x-java-|
+
000001c0  61 72 63 68 69 76 65 1f  8b 08 00 00 00 00 00 00  |archive.........|
+
...
+
</pre>
+
 
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| ...
+
| 4
+
|
+
| Number of header value pairs
+
|-
+
| ...
+
| ...
+
|
+
| Array of header value pairs
+
|}
+
 
+
A value pair is variable of size and consists of:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
|
+
| Header value identifier string size
+
|-
+
| 2
+
| size
+
|
+
| Header value identifier string
+
|-
+
| ...
+
| 2
+
|
+
| Header value string size
+
|-
+
| ...
+
| size
+
|
+
| Header value string
+
|}
+
 
+
For the example above the size of the URL string can be found at offset 130 (0x82). The first 4 string values to extract from this data are prefaced with their lengths (or sizes) as 16-bit big-endian values. E.g. to retrieve the original URL string, read the WORD at offset 0x82, and translate it as a big-endian value (e.g. using Perl, <i>unpack("n",$data)</i>). Beginning at offset 0x84, the string is 57 (0x39) bytes long. At the end of that string, the next WORD is the length of the third string, also in big-endian format.
+
 
+
Once you've completed reading the initial 4 strings, there is a DWORD value which can be interpreted as the number of header values, followed by the individual header value definitions. Each header value definition consists of an identifier and a value string. Both strings are prefaced by a 16-bit big-endian (2-byte) value, containing the length of the string.
+
 
+
In many cases, the first header value contains the HTTP Response code of 302. Other header values (that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.
+
 
+
== External Links ==
+
* [http://sploited.blogspot.ch/2012/08/java-forensics-using-tln-timelines.html Java Forensics using TLN Timelines]
+
* [http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html Almost Cooked UP Some Java]
+
* [http://journeyintoir.blogspot.com/2011/11/finding-initial-infection-vector.html Finding Initial Infection Vector]
+
* [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification], by [[Mark Woan]], January 2013
+
  
=== Java source code ===
 
* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/Cache.java.html Cache.java]
 
* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/CacheEntry.java.html CacheEntry.java]
 
  
[[Category:Analysis]]
+
[[Category:Malware]]

Revision as of 02:15, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam